IP Security (IPsec) provides transparent security services for IP communications, protects TCP/IP communications from tampering and eavesdropping, and effectively protects against network attacks. IPsec provides access control, connectionless integrity, data origin authentication, anti-replay service, and confidentiality. IPsec comprises a series of protocols for IP data security, including Authentication Header (AH), Encapsulating Security Payload (ESP), IKE, and algorithms for authentication and encryption.
The two ends using IPsec for packet transmission are called IPsec peers. The connection between these two peers is called an IPsec tunnel or IPsec connection.
IPsec uses security associations (SAs) to protect packets between two peers. An SA is a set of elements including the security protocols, encapsulation mode, encryption algorithm, shared key, and key lifetime. Because an SA is unidirectional, each peer must have two SAs (inbound SA and outbound SA) to protect bidirectional communications. The inbound SA encrypts the incoming packets and the outbound SA decrypts outgoing packets. The inbound direction is the direction in which traffic enters the IPsec tunnel, and the outbound direction is the direction in which traffic goes out of the IPsec tunnel.
An SA can be created manually (Manual) or through IKE negotiation (ISAKMP).
A pair of IPsec peers such as two network nodes performs IKE negotiation to negotiate the security protocols, exchange IPsec authentication and encryption keys, and manage the negotiated keys.
In a one-to-many network scenario as shown in FIG. 1, one network node communicates with other nodes. This application requires IKE negotiation to implement IPsec. The core site connects to each remote site over a VPN connection, but the remote sites do not set up VPN connections among one another. Remote sites carry out VPN communications with one another through the core site. For this purpose, the core site must be capable of concurrently establishing an IPSec connection and SAs to each remote site. In this case, IKE negotiation is recommended.
In a current solution, the network nodes of the core and remote sites each use a main board to implement IKE negotiation. The main board processes all sent and received IKE negotiation requests. Generally a node is equipped with one IKE negotiation main board, and the processing capability of the board is limited. When the core site is establishing IPsec connections with multiple remote sites, the IKE negotiation main board on the core site needs to handle multiple IKE negotiation processes and thus cannot ensure high efficiency.